LivingSocial Data Breach Affects Millions

LivingSocial, an e-commerce startup, revealed a massive data security breach late Friday, informing at least 50 million of its users that attackers had infiltrated its systems and gained access to some of its customer data.

The Washington, D.C.-based company, which aims to provide users with a local marketplace experience, said the attackers accessed names, email addresses and the date of birth of its users. The breach also included encrypted passwords. The company hashes and salts its passwords, the firm said in its message to users.

The company said credit card data was stored on separate systems segmented from the rest of its network and was not impacted by the breach. Users of LivingSocial that connect via Facebook also were not impacted, the company said.

LivingSocial spokesperson Andrew Weinstein told CRN that the company is not discussing any details of the attack while the investigation is ongoing.

"We are contacting customers in all of the countries in which LivingSocial operates except South Korea, Thailand, Indonesia, and the Philippines, as our TicketMonster and Ensogo subsidiaries store their data on different servers," Weinstein said.

A "create new password" button on the site directs users to a password reset page.

"Please note that LivingSocial will never ask you directly for personal or account information in an email," wrote LivingSocial CEO Tim O'Shaughnessy in a message to users. "We will always direct you to the LivingSocial website -- and require you to log in -- before making any changes to your account."

LivingSocial.com, founded in 2008, describes itself as a "social discovery and cataloging network." The company secured a $175 million investment from Amazon.com in 2010. The company is part of a long line of ecommerce vendors, social networks and other websites that have experienced data breaches impacting sensitive user information.

Cloud-based data storage firm Evernote announced a data breach in March impacting all 50 million of its users. The breach included names, email addresses and passwords. In February, Twitter reset the accounts of 250,000 of its users following a breach of its systems. Meanwhile, an email breach at online customer support provider Zendesk impacted Tumblr and Pinterest users.

Stolen account credentials give attackers easy access to corporate networks, said Ross Barrett, senior manager of security engineering at Boston-based vulnerability management vendor Rapid7. Massive email and password data breaches can be lucrative for attackers because it's common for users to reuse their IDs and passwords. Encrypted and salted passwords can eventually be cracked, Barrett said in a statement.

"Salting is an additional layer of security added on top of the encryption to make it more difficult -- but not impossible -- to decode," Barrett said. "Once the nature of the salt is determined, they can uncover the passwords much quicker."

Organizations are not compelled by regulations to store passwords securely, according to Garret Grajek, CTO and co-founder of authentication vendor SecureAuth. In a blog post about the breach, Grajek said organizations should encrypt passwords and tightly control access to stored user data.

"In insecure enterprise environments, users are allowed to keep their passwords in each of the service providers, allowing hackers to attack the weak cloud sites to obtain identity information," Grajek said.